Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
2025-12-02 23:42:46 +03:00 · 2008-01-03 21:23:15 +00:00
parent 98f27aaef3
commit eedb068c0a
13 changed files with 237 additions and 127 deletions
--- a/src/backend/utils/fmgr/fmgr.c
+++ b/src/backend/utils/fmgr/fmgr.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.112 2008/01/01 19:45:53 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.113 2008/01/03 21:23:15 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -864,6 +864,7 @@ fmgr_security_definer(PG_FUNCTION_ARGS)
 	struct fmgr_security_definer_cache *volatile fcache;
 	FmgrInfo   *save_flinfo;
 	Oid			save_userid;
+	bool		save_secdefcxt;
 	volatile int save_nestlevel;

 	if (!fcinfo->flinfo->fn_extra)
@@ -908,46 +909,50 @@ fmgr_security_definer(PG_FUNCTION_ARGS)
 	else
 		fcache = fcinfo->flinfo->fn_extra;

-	save_flinfo = fcinfo->flinfo;
-	/* GetUserId is cheap enough that no harm in a wasted call */
-	save_userid = GetUserId();
+	/* GetUserIdAndContext is cheap enough that no harm in a wasted call */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
 	if (fcache->proconfig)		/* Need a new GUC nesting level */
 		save_nestlevel = NewGUCNestLevel();
 	else
 		save_nestlevel = 0;		/* keep compiler quiet */

+	if (OidIsValid(fcache->userid))
+		SetUserIdAndContext(fcache->userid, true);
+
+	if (fcache->proconfig)
+	{
+		ProcessGUCArray(fcache->proconfig,
+						(superuser() ? PGC_SUSET : PGC_USERSET),
+						PGC_S_SESSION,
+						GUC_ACTION_SAVE);
+	}
+
+	/*
+	 * We don't need to restore GUC or userid settings on error, because the
+	 * ensuing xact or subxact abort will do that.  The PG_TRY block is only
+	 * needed to clean up the flinfo link.
+	 */
+	save_flinfo = fcinfo->flinfo;
+
 	PG_TRY();
 	{
 		fcinfo->flinfo = &fcache->flinfo;

-		if (OidIsValid(fcache->userid))
-			SetUserId(fcache->userid);
-
-		if (fcache->proconfig)
-		{
-			ProcessGUCArray(fcache->proconfig,
-							(superuser() ? PGC_SUSET : PGC_USERSET),
-							PGC_S_SESSION,
-							GUC_ACTION_SAVE);
-		}
-
 		result = FunctionCallInvoke(fcinfo);
 	}
 	PG_CATCH();
 	{
 		fcinfo->flinfo = save_flinfo;
-		/* We don't need to restore GUC settings, outer xact abort will */
-		if (OidIsValid(fcache->userid))
-			SetUserId(save_userid);
 		PG_RE_THROW();
 	}
 	PG_END_TRY();

 	fcinfo->flinfo = save_flinfo;
+
 	if (fcache->proconfig)
 		AtEOXact_GUC(true, save_nestlevel);
 	if (OidIsValid(fcache->userid))
-		SetUserId(save_userid);
+		SetUserIdAndContext(save_userid, save_secdefcxt);

 	return result;
 }